this is an attempt to make the needed permissions/roles to set up Kubermatic on vSphere reproducible
- roles are defined in ./roles.tf
- an example folder structure is created in ./folders.tf
- an example script using govc to set up vSphere users and groups is in ./scripts/create-user-and-group.sh
because: vsphere cannot attach users/groups and roles as permissions to entities without a BIG CAVEAT:
attaching permissions via the vsphere_entity_permissions resource will remove ALL UNMANAGED permissions from that resource!
that means, you either manage ALL permissions on a resource with terraform, or you don't at all!
example:
- datastore
ds-1has a lot of manually attached permissions - a terraform solution wants to attach kubermatic roles to their respective users and allow access to
ds-1 - terraform will remove all manually attached permissions from
ds-1 - you are sad because this breaks other stuff